X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

My problem is a hijack of the proxy settings and I cannot remove it even by editing pref.js file. It just keeps restoring the use manual proxy settings.

Posted

I had the cycbot trojan and have removed it. However my browser will not connect to the Internet unless I manually select no proxy in the connection settings. then on restart of firefox the settings change back to a manual proxy.

Chosen solution

I think what you can do here is to go to about:config and then in the filter at the top, enter each of those entries one at a time, then right click them and choose Reset. This should restore their default values.

So network.proxy.http_port should revert to '0' when you do that instead of its current value of 64586.

Read this answer in context 3

Additional System Details

This happened

Every time Firefox opened

This started when...

After infectoin with Cycbot

Installed Plug-ins

  • np-mswmp
  • Foxit Reader Plug-In For Firefox and Netscape
  • npdivxplayerplugin
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Google Update
  • Shockwave Flash 10.0 r32
  • iTunes Detector Plug-in
  • DivX Web Player version 2.0.3.4
  • Next Generation Java Plug-in 1.6.0_24 for Mozilla browsers
  • Yahoo Application State Plugin version 1.0.0.7
  • 4.0.60310.0
  • NPWLPG
  • NVIDIA 3D Vision plugin for Mozilla browsers
  • NVIDIA 3D Vision Streaming plugin for Mozilla browsers

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

More Information

I have tried editing in about:config where I can see the rogue proxy and port settings and in the pref.js file but each time I restart firefox they still appear. I am sure the initial trojan is gone as several AV products have now declared it clean. Can you assist?

Xircal 334 solutions 3835 answers

According to Symantec, it listens on TCP port 50730. See Backdoor.Cycbot

So the first thing to do is to block that port with your firewall if you haven't done so already.

Then click the Firefox button, go to Options | Options | Advanced and in the Network tab, click the Settings button. In there, checkmark the option called "Use system proxy settings". This affords you some degree of protection since Firefox connects to itself on localhost (port 127.0.0.1).

If you think prefs.js is corrupted, rename it to prefs.jsOLD and Firefox will create a new one the next time you restart.

Question owner

Hi, Thanks for the suggestions. I tried renaming the prefs.js file and when I started firefox I got the same result. I looked at the proxy settings and it still says 127.0.0.1 with an odd port number. Checking the new prefs it has created it still contains the wrong info so it must be pulling it from somewhere else.

This is what I cannot get rid of.

user_pref("network.cookie.prefsMigrated", true); user_pref("network.http.max-connections", 48); user_pref("network.http.max-connections-per-server", 16); user_pref("network.http.max-persistent-connections-per-proxy", 16); user_pref("network.http.max-persistent-connections-per-server", 8); user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 64586); user_pref("network.proxy.type", 1);

Incidently it has allowed me to create a new profile which if I choose that then the network is good. However I then do not have the other contents of my old profile like passwords and bookmarks.

Thoughts?

Xircal 334 solutions 3835 answers

If a new Profile fixes the problem, then you can move your data from the old one quite easily actually. See Use the Profile Manager to create and remove Firefox profiles

Question owner

that may well be the route I take thank you. However I am puzzled by the automatic writing of those network settings into the pref.js file. Where are they coming from?

Xircal 334 solutions 3835 answers

I think you still have this piece of malware on your system. See this report: http://www.threatexpert.com/report.aspx?md5=c5270e75e811141e97fa754bd1d534f7

The TCP port mentioned in your prefs.js file can be seen in there.

Have a look at the registry settings mentioned there.

Any files which won't 'delete' can be erased with this utility: http://www.heidi.ie/eraser/

Question owner

That is certainly what I had. Although I cannot find thosee files now since the AV cleared them away. The registry appears clean of that IP and Port after I just searched. All that keeps happening is the persistant re-entry of those settings back into the pref.js. it's the one in my default profile. I only had the one at the time. I created a new one and as I said thats clean. But I am still worried by the persistance of the settings. I know that they are not coming by magic... but from where?

I did just find that the profiles are under a roaming directory not sure if that is normal as I have never dived this deep into firefox.

Xircal 334 solutions 3835 answers

Chosen Solution

I think what you can do here is to go to about:config and then in the filter at the top, enter each of those entries one at a time, then right click them and choose Reset. This should restore their default values.

So network.proxy.http_port should revert to '0' when you do that instead of its current value of 64586.

the-edmeister
  • Top 10 Contributor
  • Moderator
3195 solutions 24398 answers

Is there a user.js file in that old Profile? If so, open that user.js file see if those prefs are in there.

Unless you are using that user.js file for some other prefs, just delete it.

user.js is "read" after the prefs.js file abd the prefs in it are written to the prefs,js file.

Question owner

I tried about:config and reset everything to default. Closed firefox and still no joy. I stillget connection denied proxy error. Then I looked at the user.js and there are no network settings in their to speak of. removing it made no difference.

Hmmm..

Question owner

Yippeee I fixed it.

So here's what I did.

knowing that the new profile works and the default did not.

I opened both profiles and moved all the contents of default into a scratch folder I then copied all the contents of the new profile folder into the now empty default profile folder

Started firefox using the default profile (via profile manage) That worked (as I suspected) presuming that nasty files are now in the scratch folder

There were some spurious network entries but this time About:config let me edit the settings back to default. tested it a couple of times and all good. So I copied the now refreshed prefs.js into the scratch folder.

deleted all the contents of the defaulf folder

copied the entire scratch folder back

It now works as it should.

I can only suspect some jedi type file corruption ??

Xircal 334 solutions 3835 answers

Helpful Reply

Vulnerabilities in your system as far as Firefox is concerned currently lie with your Plugins. The following are out of date.

It's difficult to see whether any of the others are out of date because I can't see the versions. So a visit to the Plugins Check page is in order I think.


Also, I notice you have Foxit Reader installed. Did you opt out of the Ask Toolbar installation which comes bundled with that? If not, then you'll find the Ask Toolbar by clicking the Firefox button, then Add-ons | Extensions. Remove it in there. See http://kb.mozillazine.org/Problematic_extensions

Ask(dot)com directs your searches to its advertiser database before displaying any neutral results like Google does. Some of those may come from dubious sources.


This particular Trojan incorporates a keylogger, so it's advisable to change all your passwords now. A good external password manager is "Keepass", free from http://keepass.info/


Last but not least, install this add-on: https://addons.mozilla.org/en-US/firefox/addon/quickjs/ It adds a button to the toolbar which you can use to disable/enable Javascript on the fly. Disable it before you visit any sites you haven't been to before. This will prevent so called drive-by downloads when you inadvertently visit a site which has been compromised.

Question owner

I appreciate the additional tips, thank you. Although I am puzzled by how you know that I have Foxit and that my Adobe is out of date?

Xircal 334 solutions 3835 answers

Click the link called "More System Details", top right ;)

Question owner

Sneaky :-)

Thanks for your guidance.

Question owner

I have just checked running processes etc and I have csrss.exe running. I believe that this can become compromised. Do you know how I can validate effectivley that this file is still good?

Xircal 334 solutions 3835 answers

The default locations for this file are:

  • C:\WINDOWS\system32

  • C:\WINDOWS\ServicePackFiles\i386

The file size for both is 6KB

If it says "SYSTEM" in the Processes tab in Task Manager, then it's OK. Open Task Manager by right clicking a blank part of the Windows Taskbar.

Upload it to http://virusscan.jotti.org/en for peace of mind.

Question owner

I have two instances of it running in task manager and both say system, mine is 8k in size (I'm running win 7 64bit)

Oddly although I can locate it in explorer I cannot see it when using the file upload and browsing to the system32 folder.

Question owner

I copied it to desktop and then sent it to the scanner and it came back clean.

cool

Thanks again

Xircal 334 solutions 3835 answers

You're welcome.

Xircal 334 solutions 3835 answers

Another useful security tool for you is Microsoft's Process Explorer. You can use it to check what's happening on the fly by right clicking the process, go to Properties and for example, see if the file is connecting to the Internet. See screenshot of csrss.exe running on my own system.

Download from: http://technet.microsoft.com/en-us/sysinternals/bb896653